Thurbo AG

Privacy Policy

This Privacy Policy explains the nature, scope and purpose of the processing of your personal data (hereinafter referred to concisely as “data”) within the context of our online service and the associated websites, features and content, as well as our external presence online, such as our social media profiles (hereinafter referred to collectively as “online service”). Please see Article 4 of the General Data Protection Regulation (GDPR) for definitions of the terminology used, such as “processing” or “controller”.

We treat your data confidentially.

Protecting your personal data and personal privacy is important to us. We guarantee to process your personal data in compliance with the requirements of data protection legislation. In short, we adhere strictly to the following principles when processing your personal data:

You decide how your personal data will be processed.

The law says that you can refuse at any time to allow your data to be processed, withdraw your consent to its collection and processing or ask for your data to be deleted.

We offer you added value when we process your data.

We use your data exclusively to provide you with a service and to offer you added value (such as personalised offers, information and support). We will therefore use your data only to help us develop, deliver, optimise and evaluate our services or to improve customer relations.

We will not sell your data.

Your data will only be disclosed to the carefully selected third parties listed in this privacy statement and only for the purposes explicitly identified. We insist that any third parties we ask to process your data comply with our own data privacy standards.

We guarantee the security and protection of your data.

We promise to handle your data with care and to keep it safe and secure. We have put in place appropriate organisational and technical measures to safeguard your data.

Please see below for more detailed information on how we handle your data.


Regionalbahn Thurbo AG is responsible for the processing of your data.Please do not hesitate to contact our in-house data protection officer if you have any questions or comments regarding data protection. You can either write to him by post:Regionalbahn Thurbo AG Datenschutzbeauftragter Bahnhofstrasse 31 Postfach 2272 8280 Kreuzlingen 1 Switzerland

or by e-mail: datenschutz[at]

What does "shared responsibility in public transport mean"?

Thurbo is responsible for processing your data. As a public transport service provider, we have a legal obligation to collaborate with other transport operators and partners in the provision of certain passenger transport services ("Direct Service").

For this purpose and other purposes described in this data privacy statement, we share data at national level within "National Direct Service" (NDS), an association of over 240 transport operators and public transport partner companies. The individual TSPs and partners are listed here. Data acquired from customers who purchase services or supply contact details are stored in a central database which is managed by SBB on behalf of NDS and for which we are jointly responsible with the other NDS companies and partners (the DS database).

When services are purchased by customers using their SwissPass login, the data is stored in another central database (the SwissPass database), for which we are jointly responsible with the TSP and the NDS community. The database is managed by SBB on behalf of NDS. To improve service efficiency and streamline the working relationship between the companies involved, the data from the different databases may be merged. To enable single sign-on (SSO) (a system that enables SwissPass users to access multiple services with just one login), we share login, card, customer and service data with the central SwissPass login infrastructure during the authentication process.

Access by individual TUs and partners to the shared databases is regulated and limited by a contractual agreement. The sharing and processing by the other TSPs and NDS partners who use the central database is normally limited to contract processing, ticket control, after-sales service and revenue distribution. In certain cases, the data collected during purchase transactions for NDS services is also used for marketing purposes. These include analysing the data to improve and promote public transport services in line with customer needs. If you are contacted for this purpose, it will normally be by us at Thurbo. The other TSPs and partner companies associated with NDS will contact you only in exceptional circumstances and under strict conditions, and only if an analysis of the data shows that a particular public transport service would be beneficial for you as a customer. Contact by SBB is the one exception to this rule. SBB handles the marketing of NDS services (such as GA and half-fare travelcards) on behalf of NDS and may contact you at regular intervals in connection with these services.

Our legitimate interest forms the legal basis for processing the data described here. 

Types of data processed:

  • User data (e.g. names, addresses)
  • Contact data (e.g. e-mail, telephone numbers)
  • Content data (e.g. text input, photographs, videos)
  • Usage data (e.g. websites visited, interest in content, access times)
  • Metadata/communication data (e.g. device information, IP addresses) 

Categories of data subject

Visitors to and users of the online service (we also refer to data subjects collectively hereinafter as “users”). 

Purposes of data processing 

  • To make our online service, features and content available.
  • To respond to requests for contact and communicate with users.
  • Security measures. 

Terminology used

“Personal data” means all information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is regarded as being identifiable if they can be directly or indirectly identified, especially by means of attribution to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or one or more special features which are an expression of that natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity.

“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. This is a wide-ranging term which covers practically all instances of data handling.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 

Relevant legal basis

Pursuant to Art. 13 GDPR, we provide you with information about the legal basis for our data processing. If the legal basis is not stated in the Privacy Policy, the following applies: the legal basis for obtaining consent is Art. 6 paragraph 1 (a) and Art. 7 GDPR, the legal basis for processing in order for us to perform our services and contractual steps and to respond to requests is Art. 6 paragraph 1 (b) GDPR, the legal basis for processing in order for us to comply with our legal obligations is Art. 6 paragraph 1 (c) GDPR, and the legal basis for processing for the purposes of our legitimate interests is Art. 6 paragraph 1 (f) GDPR. If the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, Art. 6 paragraph 1 (d) GDPR shall apply as the legal basis. 

Security measures

Pursuant to Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

These measures particularly include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data and access relating to the data, input and forwarding, as well as ensuring availability and separation. Moreover, we have put processes in place to ensure the protection of data subjects’ rights, the deletion of data and the response if data are put at risk. We also take the protection of personal data into account at the development stage and when selecting hardware, software and processes, pursuant to the principle of data protection by design and by default (Art. 25 GDPR). 

Cooperation with processors and third parties

If, within the context of our processing, we disclose or transmit data to other persons and companies (processors or third parties) or grant them access to the data in some other way, this shall only take place on the basis of legal authorisation (e.g. if the transmission of data to third parties, such as payment service providers, is necessary for the performance of a contract, pursuant to Art. 6 paragraph 1 (b) GDPR), if you have given your consent, if this is stipulated by a legal obligation or on the basis of our legitimate interests (e.g. when engaging the services of processors, web hosts etc.). 

If we appoint third parties to process data on the basis of a “processing contract”, this shall be on the basis of Art. 28 GDPR. 

Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this takes place within the context of the use of third-party services or the disclosure or transfer of data to third parties, this shall only occur if this is for the performance of a contract or for us to fulfil our obligations prior to entering a contract, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual authorisation, we only process data in a third country or transfer data to a third country for processing if the special provisions of Art. 44 et seqq. GDPR apply. This means, for example, that the processing takes place on the basis of special guarantees, such as the officially recognised declaration of a level of data protection commensurate with the level in the EU (e.g. the “Privacy Shield” for the USA) or adherence to officially recognised special contractual obligations (known as “standard contractual clauses”).

Rights of the data subject

You have the right to request confirmation as to whether personal data concerning you are being processed and to information about these data as well as to further information and a copy of the data, pursuant to Art. 15 GDPR.

You have the right, pursuant to Art. 16 GDPR, to have incomplete personal data completed or to obtain the rectification of inaccurate personal data.

You have the right, pursuant to Art. 17 GDPR, to obtain the erasure of personal data concerning you without undue delay, or alternatively, pursuant to Art. 18 GDPR, the right to obtain restriction of processing.

You have the right to receive the personal data concerning you, which you have provided to us, and to transmit those data to another controller, pursuant to Art. 20 GDPR. 

You also have a right, pursuant to Art. 77 GDPR, to lodge a complaint with the competent supervisory authority. 

Right to withdraw consent

You have the right, pursuant to Art. 7 paragraph 3 GDPR, to withdraw your consent with future effect. 

Right to object

Pursuant to Art. 21 GDPR, you have the right to object at any time to the future processing of personal data concerning you. You can particularly object to processing for direct marketing purposes. 

Cookies and the right to object to direct marketing

Cookies are small files stored on a user’s computer. A variety of information can be stored in cookies. The main purpose of a cookie is to store information about a user (or about the device on which the cookie is stored) during and sometimes after a visit within the context of an online service. Temporary cookies known as “session cookies” or “transient cookies” are cookies which are deleted when a user leaves an online service and closes their browser. The contents of a shopping basket in an online shop or a login status can, for example, be stored in a cookie of this kind. “Permanent” or “persistent” cookies are cookies which are still stored even after the browser has been closed. This means, for example, that the login status can be stored if the user visits the site a few days later. A user’s interests, which can be used to measure reach or for marketing purposes, can also be stored in a cookie of this kind. “Third-party cookies” are cookies that are placed by a supplier other than the controller of the online service (cookies that are just the controller’s cookies are known as “first-party cookies”).

We may set temporary and permanent cookies and explain these in our Privacy Policy.

If users do not want cookies to be stored on their computer, they are asked to deactivate the relevant option in their browser’s system settings. Stored cookies may be deleted in the browser’s system settings. Declining cookies may restrict the functionality of this online service.

You can generally opt out of the use of cookies placed for online marketing purposes for many services, especially in the case of tracking, via the American website or the EU website You can also control the storage of cookies by deactivating them in your browser’s settings. Please note that you may then not be able to use all the features of this online service. 

Erasure of data

The data we process are erased or their processing is restricted pursuant to Art. 17 and 18 GDPR. Unless expressly stated in this Privacy Policy, the data that we store shall be erased when they are no longer necessary for their intended purpose and when there is no statutory storage requirement that prevents them from being erased. If the data are not erased because they are required for other, legally permitted purposes, their processing will be restricted. This means that the data will be locked and will not be processed for other purposes. This applies, for example, to data that need to be kept for reasons associated with commercial law or tax legislation. 

Making contact with us

If a user makes contact with us (e.g. via the contact form, e-mail, telephone or social media), the user’s data will be used for processing and handling the contact request pursuant to Art. 6 paragraph 1 (b) (within the context of contractual relationships or steps prior to entering a contract) and Art. 6 paragraph 1 (f) (other requests) GDPR. The user’s data may be stored in a customer relationship management system (“CRM system”) or similar request system.

We delete the requests when they are no longer required. We check whether they are required every two years; statutory archiving obligations also apply. 

Contact forms 

We will only use your personal data and any other data provided voluntarily (such as your title, address, telephone number and company) to answer your message as accurately and specifically as possible. Any information you voluntarily provide as to how you became aware of our service may also be used in anonymised form for internal statistical purposes.

If you are contacting us regarding a journey with Thurbo for which you used a personal ticket/travelcard issued in your name, please note that we may carry out a manual comparison with the electronic booking and travelcard data available to us, insofar as this is necessary and permissible for responding to your query (see Section 9 of the T600 General Passenger Tariff). Your query will not be directly linked to the information in the customer database (KUBA) of booking and sales platforms for Swiss public transport.

Where necessary, data will be disclosed within the association known as “Direkter Verkehr” of over 240 public transport companies and to transport networks for the purposes of executing contracts, checking tickets and (after informing affected customers) providing after-sales/customer services. 

Form «Travelling without a valid or partially valid ticket»

The following applies to queries about travelling without a valid ticket:

Data collected for the purpose of recording passengers without a valid ticket (PWVT) is stored and processed primarily on the basis of the Federal Passenger Transport Act (PTA, 745.1, Art. 20a) and the Passenger Transport Ordinance (PTO 745.11, Art. 58a and 58b). The tariff-related principles for the recording of passengers without a valid ticket, on which the transport contract is based can be found in Tariff T600.5 “Passengers without a valid ticket/misuse, forgery”.

The requirements of the T600 “General Passenger Tariff”, on which the transport contract is based, and the tariffs of the relevant transport networks shall apply to the processing of personal and customer data from the sale of a ticket or travelcard (customer database, KUBA). 

Hosting and sending e-mail

We use hosting services in order to make the following services available: infrastructure and platform services, processing capacity,  memory and database services, sending e-mail, security services and technical maintenance services that we use in order to operate this online service. 

In doing so, we or our hosting suppliers process user data, contact data, content data, contract data, usage data, metadata and communication data concerning customers, interested parties and visitors to this online service on the basis of our legitimate interests in the efficient and secure provision of this online service pursuant to Art. 6 paragraph 1 (f) GDPR in conjunction with Art. 28 GDPR (conclusion of a processor contract). 

Collecting access data and log files

On the basis of our legitimate interests pursuant to Art. 6 paragraph 1 (f) GDPR, we or our hosting supplier collect data about each time the server on which this service is located is accessed (“server log files”). The access data include the name of the website accessed, file, date and time of access, the volume of data transmitted, the message concerning successful access, the browser type including version, the user’s operating system, the referrer URL (the site previously visited), IP address and the provider making the request.

Log file information is kept for a maximum period of seven days for security reasons (e.g. for investigating acts of improper use or fraud), after which time it is deleted. Data that need to be kept for longer for evidence purposes are not deleted until the incident in question has been fully investigated. 

Google Analytics

On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online service pursuant to Art. 6 paragraph 1 (f) GDPR), we use Google Analytics, a web analysis service provided by Google LLC (“Google”). Google uses cookies. The information about users’ use of the online service which is generated by the cookie is generally transmitted to one of Google’s servers in the US and stored there.

Google is certified under the Privacy Shield agreement and therefore guarantees compliance with European data protection legislation: Link.

Google uses this information at our behest to evaluate users’ use of our online service, to produce reports about activity within the context of our online service and to provide us with other services related to use of this online service and the Internet. As part of this process, users’ pseudonymous usage profiles may be created from the processed data.

We use Google Analytics only with activated IP anonymisation. This means that the user’s IP address is truncated by Google in member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to one of Google’s servers in the US and truncated there.

Google does not link the IP address transmitted by the user’s browser to other data. Users can prevent the storage of cookies via the relevant setting in their browser software; users can also prevent Google from collecting the data generated by the cookie concerning their use of the online service and prevent Google from processing these data by downloading and installing the browser plug-in which is available via the following link: Link.

You can find further information about how Google uses your data and options for settings and opting out in Google’s privacy policy and in the settings for the display of advertisements by Google.

Users’ personal data are deleted or anonymised after 14 months. 

Online presence in social media 

We maintain an online presence within social networks and platforms in order to communicate with customers, interested parties and users who are active there and to provide them with information there about our services. Access to the relevant networks and platforms is regulated by the general terms and conditions and the data processing guidelines of the operator in question. 

Unless otherwise stated in our Privacy Policy, we process user data if these users communicate with us via the social networks and platforms, e.g. if they post on our pages or send us messages. 

Incorporation of third-party services and content

As part of our online service and on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online service pursuant to Art. 6 paragraph 1 (f) GDPR), we use content and services offered by third-party suppliers in order to incorporate their content and services, such as videos or fonts (hereinafter referred to collectively as “content”).  

This means that the third-party suppliers of this content must always know a user’s IP address, because they cannot send content to the user’s browser without it. The IP address is therefore essential in order for this content to be displayed. We endeavour only to use content whose suppliers use the IP address solely for the purposes of delivering the content. Third-party suppliers may also use “pixel tags” (invisible graphics, which are also called “web beacons”) to gather statistics or for marketing purposes. Information such as visitor traffic to the pages of this website can be analysed by the pixel tags. The pseudonymous information may also be stored in cookies on the user’s device and may include, for example, technical information about the browser and operating system, referrer websites, the time of the visit and further details about the use of our online service. It may also be combined with similar information from other sources.


We incorporate videos from the “YouTube” platform supplied by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy, opt-out:

Google Fonts 

We incorporate the fonts (“Google Fonts”) supplied by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy, opt-out: 

Google Maps

We incorporate maps provided by the “Google Maps” service supplied by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may particularly include users’ IP addresses and location data, but these are not collected without the users’ consent (usually given within the settings of their mobile devices). The data may be processed in the USA. Privacy Policy, opt-out: 

Adobe Typekit Fonts

On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online service pursuant to Art. 6 paragraph 1 (f) GDPR), we use external “Typekit” fonts supplied by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland. Adobe is certified under the Privacy Shield agreement and therefore guarantees compliance with European data protection legislation.

(As at: 1.1.2020)